so here are three RC bugs with maintainers clearly indicating that they
don't want the buggy packages to release and none look like they will be
fixed. The package do not have reverse dependencies, so they seem to be
good for removal.
....
mailscanner #506353
The maintainer Simon Walter writes:
In the current state the package should not be part of
the lenny release.
I'm in no position to fix all this. I'm not familiar enough with
the MailScanner sourcecode and I'm not able to test the changes I
would have to make, in particular to all the virusscanner scripts.
upstream apparently does not seem to, let's say, consider the tempfile
vulnerability a bug and does not seem to want to fix it.
The mailscanner temp vulnerability seems to be fixed in upstream:
---
http://www.mailscanner.info/ChangeLog
18/12/2008 New in Version 4.74.11-1
...
* Fixes *
2 Major work on removing symlink attack vulnerabilities
affecting -autoupdate
lock files.
Note: This vulnerability only affected systems where normal interactive
users
could log in to the system, or create arbitrary symlinks in your
filesystem.
So the ISP-style setups were never vulnerable, as they didn't allow normal
users to login or allow people to arbitrarily create symlinks in the
filesystem.
2 Removed symlink attack vulnerabilities in SpamAssassin
---
Or are there more?
G.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
